|Home > Security Bulletins > S2-018|
Broken Access Control Vulnerability in Apache Struts2
|Who should read this||All Struts 2 developers and users|
|Impact of vulnerability||Permissions, Privileges, and Access Controls|
|Maximum security rating||Important|
|Recommendation||Developers should immediately upgrade to Struts 184.108.40.206|
|Affected Software||Struts 2.0.0 - Struts 220.127.116.11|
|Reporter||Zhu Gang, Zhang Jin, Huawei PSIRT|
The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 18.104.22.168, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.
In Struts 22.214.171.124 the action mapping mechanism was changed to avoid circumventing security constraints. Two additional constants were introduced to steer behaviour of DefaultActionMapper:
After upgrading to Struts 126.96.36.199, applications using the "action:" will stop working. You can use above constants to steer that behaviour.
|It is strongly recommended to upgrade to Struts 188.8.131.52, which contains the corrected Struts2-Core library.|